2011-xu-internet
findings extracted from this paper
-
The study located 495 router interfaces with attached IDS filtering devices across China, with CHINANET holding 79.4% and CNCGROUP 17.4%. The two ISPs use fundamentally different placement strategies: CHINANET distributes filtering across provincial networks (80% of its 21 served provinces operate their own filtering devices, Guangdong alone hosting 84 of 374 CHINANET interfaces), while 90% of CNCGROUP's 82 filtering interfaces concentrate in its backbone.
-
CNCGROUP's filtering interface count has grown to three times its 2007 level, now accounting for 17.4% of all 495 filtering interfaces found, while CHINANET's count has remained stable since 2007. This divergence indicates CNCGROUP is actively expanding its censorship infrastructure while CHINANET's filtering capacity has matured.
-
China's AS-level topology is shallow and concentrated: CHINANET and CNCGROUP together account for 63.9% of 133 unique foreign peerings, 87% of internal ASes are within one hop of a border AS, and just 24 border/backbone ASes serve as effective choke points for all international traffic. The TTL of GFW RST packets is now crafted to prevent IDS localization by TTL inspection, requiring TTL-incrementing probe packets to identify filtering device positions.
-
The GFW is fully stateful as of 2010: probing all 11,824 Chinese IP prefixes with single TCP packets containing the keyword 'falun' produced no RST responses, confirming that a complete TCP handshake must precede any filtering trigger. Earlier measurements (2006, 2007) reported contradictory results; this study finds statefulness is now universal across all probed prefixes.
-
14 of 495 filtering interfaces (2.9%) are located in non-border internal ASes, all but two belonging to CHINANET provincial subsidiaries. The paper notes that CHINANET's provincial filtering architecture creates infrastructure capable of inspecting inter-provincial domestic traffic, even though there is no current evidence it is being used for that purpose.